The Following 2 Users Say Thank You to MrBuckingham For This Useful Post:

I have to say that I am astounded at this column. I encountered the same virus/whatever called Cryptolocker about 3 weeks ago. I know it has been out a fair long time. I got rid of it easily in under an hour. Admittedly I work "in the trenches" meaning that I do PC build/repair/delouse as most of my daily job so I do come into contact with viruses on other people's machines OFTEN. Cryptolocker was relatively easy to remove to be honest, using the usual tools and didnt require a real lot of time or effort on my part. As a result, the files that were supposedly to be locked soon, were not locked.

I suggest to anyone reading my reply who wants to try this out for themselves, infect your own test machine with Cryptolocker, kill the task then use your favourite kill technique first then just run MBAM for a second backup and follow up with a DECENT antivirus such as a trial Sophos or free AVG and it is gone and no need to worry. My personal first line of attack is one that may well kill off your Windows if you dont know what you are doing well enough so I hesitate to mention it here but there are plenty of such programs available on the net without having to mention it so try looking up. Sophos removal tool is good enough to get rid of it. It *IS* important to kill the Cryptolocker task BEFORE doing anything else though. I suppose it depends on variants that may come up in the future but you could either start in Safe mode (may not help if a variant takes that into account) or even use HijackThis to delete the entry for it to begin with after first killing the task then reboot if you feel the need or just proceed on with getting rid of it.

Also, I realise some of you may tell me I am telling BS. I can only say to you that I am not. If you want to try it yourself, go for it. Like I said, important to kill the task before doing anything else. After that, all is simple with the right removal tools and a follow up MBAM scan then a fillow up DECENT antivirus scan after that.

gregwh -I don't really see what there is to be astounded about. Many readers don't work "in the trenches" and so wouldn't have your knowledge/expertise. They wouldn't know, for example, about the importance of killing the task before carrying out any other action that you speak of. In any case, prevention has always to be better than cure, no?

"Is it possible to decrypt files encrypted by CryptoLocker?
Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection"..

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection"..

Indications are that any removal, even if successful, would still leave the files encrypted. So what have we accomplished by removing the infection? Our data would still be lost.

This is yet another wake-up call to do regular data backups. Unlike system image backups, which can be done once a month for many home users, data backup or cloud synchronizing must be done daily or m,ore often, to prevent significant data loss when (not if) Windows once again shows its inherent insecurities in novel and as yet unpreventable ways.

This infection is not unpreventable. It is as yet only socially engineered. Due diligence in not trusting emails from even known correspondents if the emails are unexpected, and not downloading and installing codecs from just anywhere, as well as the usual warnings not to click on just anything on the Web, should suffice to prevent acquiring this infection. It is not know to be transmitted as a drive-by download -- yet.

Personally, I have been running Windows since Windows 95SE, and have NEVER gotten bitten by Fake Antivirus, Ransomware or any encryption malware of any kind. I do not believe this is any different from the many previous virus warnings circulated in the tech press. It seems the only new wrinkle is that some of the emails appear to come from legitimate companies with which the user has done business. And I'd bet that pre-screening any embedded links would reveal their bogus nature to even untrained eyes.

Unfortunately, those who could benefit most from this thread and the article are the very Widnows users who never look at a tech article or visit a tech forum. These Computer As Appliance users will always be sheep ripe for the fleecing.

Personally, I prefer to avoid this and other Widnows alarm calls by doing something not everyone would choose to do. I run Linux almost exclusively for my Web activities these days. I don't get Netflix, but most every other Web site and Web App seems to work. (Ubuntu 13.04 Raring, 64-bits)

Linux does not run downloaded executables from most areas of the Home or Root Directories, nor from most Temp locations. The user Desktop can harbor executables, especially scripts, but these to run as Root would need a password login. User Data (such as it is under Linux) does not normally run executiions either. The act of file encryption would require a Root Login with a passsword. Elevation of privileges under Linux is not as easy as it is under Windows. No wonder malware writers don't target Linux!

CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution - and free. Has anyone used this with success? Shame that he doesn't provide a md5sum to verify the download...

Re taking frequent backups, isn't there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

I heard that some antivirus software does spot and delete CryptoLocker-infected emails, others have been infected despite having av software (including Avast, which I use).

CryptoPrevent (currently at v2.2) seems like a very simple (to use) and elegant preventative solution - and free. Has anyone used this with success? Shame that he doesn't provide a md5sum to verify the download..

I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.

Re taking frequent backups, isn't there a danger that a backup will happen while CryptoLocker is doing its nasty work, so you end up overwriting a previous good backup with locked versions of some of your files?

I think that's a very real danger. I guess the only way to protect against that is to keep X number of backups (however many your storage allows). Actually, the way I understand it, CryptoLocker could also encrypt backup files anyway - even if they're stored on external drives/Nas's - so maybe we need to get out those blank DVDs/Blu-ray disks.

I thought the whole purpose of un-installing JAVA was to prevent these types of attacks...

Does this mean if JAVA is un-stalled you are still susceptible to this type of attack ???

Take a look at the bleepingcomputer link I posted previously - that'll tell you how it's spread - but no, uninstalling JAVA doesn't help in this case.

I was happy to use it as Lawrence Abrams at bleepingcomputer recommends it.

Thanks I will probably do the same.

Re backups, at our office we do onsite and then offsite backup of data files using rdiff-backup and rsync (using a wrapper software package/instructions I wrote called TimeDicer). The backup machine runs Linux and the Windows clients connect using ssh (plink.exe) so the backup machine should be safe from CryptoLocker, of course encrypted files might be backed up but as it keeps all versions the previous unencrypted files should be recoverable.

Still it is obviously better to avoid the infection!

Edit: For anyone else, the md5sum of my copy of CryptoPreventSetup.exe (v2.2, the installer version) is ffff9031a306b9b644b3155603093205. I've now installed it, will of course post here if I have any problems...

The local security policy change as mentioned in the article is way too problematic. Many legitimate programs use local and roaming appdata locations for executables, including lots of Google programs (such as chrome and numerous update files). I certainly don't see "folks with solid IT savvy" doing either this or "application whitelisting" for themselves. For corporate environments, of course, whitelisting or locked-down desktops may be appropriate...

Does this mean that Windows 7 Home Premium has no ability to apply policies to guard against CryptoLocker?

CryptoPrevent claims to work fine with 'Home' versions and even with XP, because it bypasses the Group Policy Editor.

One small example I have found of a non-functioning legitimate program after applying CryptoPrevent is that the latest Avast's 'Browser Cleanup' tool fails - this is because it works by extracting the executable tool from a 7z archive in %TEMP% and then running it, which the new policies do not allow. At least it proves that the policies are working.

I think I may have had the virus because I was getting the Excel message. Luckily I rely on Libre Office and nothing I created was affected. Open Source is usually the solution. None of the extensions listed in the article are Libre Office extensions. Because of a problem with my sound system on Windows7 (I could not play music or watch HBOGO on Firefox and games had no music) I reformatted my computer. Different forums said I had a virus, but I could not find it using various programs. Everything is sort of back to normal. One of these days Adobe is going to realize Linux runs their servers and they should program things like Shockwave to work on Linux computers.